xzamirx / foursquared

Automatically exported from code.google.com/p/foursquared
0 stars 0 forks source link

"Basic Auth" over plaintext transport (HTTP) is suboptimal #163

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Run protocol analyser ("packet sniffer"; tcpdump, or whatever suits you)
on the handset or from some other vantage point (router, firewall, whatever)
2. Login and use Foursquare on Android
3. Observe that Basic Auth is used
4. Frown

What is the expected output? What do you see instead?

Using SSL/TLS would be ideal, assuming Basic Auth is still used, or
utilizing some kind of session management in lieu of SSL

What version of the product are you using? On what operating system?

Foursquare 20100114 on Android (1.6)

Please provide any additional information below.

Original issue reported on code.google.com by quine.n0where@gmail.com on 1 Feb 2010 at 1:20

Attachments:

GoogleCodeExporter commented 9 years ago
This has been verified on iphone as well.

It seems API behavior is the same across all mobile platforms. 

All communications to api.foursquare.com when sniffed see http headers:

Auth Basic T2hUaGlua1lvdXJlOkNsZXZlckRvbnRjaGEK

Transmitting credentials unencrypted is bad, mmkay?

Original comment by viss...@gmail.com on 1 Feb 2010 at 6:08